[civicrm-core.git] / CRM / Core / DAO / permissions.php

<?php

/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.4                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2013                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
*/

/**
 * Decide what permissions to check for an api call
 * The contact must have all of the returned permissions for the api call to be allowed
 *
 * @param $entity: (str) api entity
 * @param $action: (str) api action
 * @param $params: (array) api params
 *
 * @return array of permissions to check for this entity-action combo
 */
function _civicrm_api3_permissions($entity, $action, &$params) {
  $entity = _civicrm_api_get_entity_name_from_camel($entity);
  $action = strtolower($action);

  /**
   * @var array of permissions
   *
   * For each entity, we declare an array of permissions required for each action
   * The action is the array key, possible values:
   *  * create: applies to create (with no id in params)
   *  * update: applies to update, setvalue, create (with id in params)
   *  * get: applies to getcount, getsingle, getvalue and other gets
   *  * delete: applies to delete, replace
   *  * meta: applies to getfields, getoptions, getspec
   *  * default: catch-all for anything not declared
   *
   *  Note: some APIs declare other actions as well
   */
  $permissions = array();

  // These are the default permissions - if any entity does not declare permissions for a given action,
  // (or the entity does not declare permissions at all) - then the action will be used from here
  $permissions['default'] = array(
    // applies to getfields, getoptions, etc.
    'meta' => array('access CiviCRM'),
    // catch-all, applies to create, get, delete, etc.
    // If an entity declares it's own 'default' action it will override this one
    'default' => array('administer CiviCRM'),
  );

  // Contact permissions
  $permissions['contact'] = array(
    'create' => array(
      'access CiviCRM',
      'add contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    // managed by query object
    'get' => array(),
    'update' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
    'getquick' => array(
      'access CiviCRM',
    ),
  );

  // Contact-related data permissions
  $permissions['address'] = array(
    'get' => array(
      'access CiviCRM',
      'view all contacts',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete contacts',
    ),
    'default' => array(
      'access CiviCRM',
      'edit all contacts',
    ),
  );
  $permissions['email'] = $permissions['address'];
  $permissions['phone'] = $permissions['address'];
  $permissions['website'] = $permissions['address'];
  $permissions['im'] = $permissions['address'];
  $permissions['loc_block'] = $permissions['address'];
  $permissions['entity_tag'] = $permissions['address'];
  $permissions['note'] = $permissions['address'];

  // Activity permissions
  $permissions['activity'] = array(
    'delete' => array(
      'access CiviCRM',
      'delete activities',
    ),
    'default' => array(
      'access CiviCRM',
      'view all activities',
    ),
  );

  // Case permissions
  $permissions['case'] = array(
    'create' => array(
      'access CiviCRM',
      'add cases',
    ),
    'delete' => array(
      'access CiviCRM',
      'delete in CiviCase',
    ),
    'default' => array(
      'access CiviCRM',
      'access all cases and activities',
    ),
  );

  // Financial permissions
  $permissions['contribution'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviContribute',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'completetransaction' => array(
      'edit contributions',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviContribute',
      'edit contributions',
    ),
  );
  $permissions['line_item'] = $permissions['contribution'];

  // Custom field permissions
  $permissions['custom_field'] = array(
    'default' => array(
      'administer CiviCRM',
      'access all custom data',
    ),
  );
  $permissions['custom_group'] = $permissions['custom_field'];

  // Event permissions
  $permissions['event'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'delete in CiviEvent',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event info',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit all events',
    ),
  );

  // File permissions
  $permissions['file'] = array(
    'default' => array(
      'access CiviCRM',
      'access uploaded files',
    ),
  );
  $permissions['files_by_entity'] = $permissions['file'];

  // Group permissions
  $permissions['group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
    'default' => array(
      'access CiviCRM',
      'edit groups',
    ),
  );
  $permissions['group_contact'] = $permissions['group'];
  $permissions['group_nesting'] = $permissions['group'];
  $permissions['group_organization'] = $permissions['group'];

  // Membership permissions
  $permissions['membership'] = array(
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
    ),
    'default' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
    ),
  );
  $permissions['membership_status'] = $permissions['membership'];
  $permissions['membership_type'] = $permissions['membership'];
  $permissions['membership_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviMember',
      'delete in CiviMember',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviMember',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviMember',
      'edit memberships',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Participant permissions
  $permissions['participant'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
    ),
  );
  $permissions['participant_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviEvent',
      'register for events',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviEvent',
      'view event participants',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviEvent',
      'edit event participants',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Pledge permissions
  $permissions['pledge'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
    ),
  );
  $permissions['pledge_payment'] = array(
    'create' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
    'delete' => array(
      'access CiviCRM',
      'access CiviPledge',
      'delete in CiviPledge',
      'access CiviContribute',
      'delete in CiviContribute',
    ),
    'get' => array(
      'access CiviCRM',
      'access CiviPledge',
      'access CiviContribute',
    ),
    'update' => array(
      'access CiviCRM',
      'access CiviPledge',
      'edit pledges',
      'access CiviContribute',
      'edit contributions',
    ),
  );

  // Profile permissions
  $permissions['profile'] = array(
    'get' => array(), // the profile will take care of this
  );

  $permissions['uf_group'] = array(
    'get' => array(
      'access CiviCRM',
    ),
  );
  $permissions['uf_field'] = $permissions['uf_group'];

  // Translate 'create' action to 'update' if id is set
  if ($action == 'create' && (!empty($params['id']) || !empty($params[$entity . '_id']))) {
    $action = 'update';
  }

  // let third parties modify the permissions
  CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);

  // Merge permissions for this entity with the defaults
  $perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];

  // Return exact match if permission for this action has been declared
  if (isset($perm[$action])) {
    return $perm[$action];
  }

  // Translate specific actions into their generic equivalents
  $snippet = substr($action, 0, 3);
  if ($action == 'replace' || $snippet == 'del') {
    // 'Replace' is a combination of get+create+update+delete; however, the permissions
    // on each of those will be tested separately at runtime. This is just a sniff-test
    // based on the heuristic that 'delete' tends to be the most closesly guarded
    // of the necessary permissions.
    $action = 'delete';
  }
  elseif ($action == 'setvalue' || $snippet == 'upd') {
    $action = 'update';
  }
  elseif ($action == 'getfields' || $action == 'getspec' || $action == 'getoptions') {
    $action = 'meta';
  }
  elseif ($snippet == 'get') {
    $action = 'get';
  }
  return isset($perm[$action]) ? $perm[$action] : $perm['default'];
}

# FIXME: not sure how to permission the following API 3 calls:
# contribution_transact (make online contributions)
# entity_tag_display
# group_contact_pending
# group_contact_update_status
# mailing_event_bounce
# mailing_event_click
# mailing_event_confirm
# mailing_event_forward
# mailing_event_open
# mailing_event_reply
# mailing_group_event_domain_unsubscribe
# mailing_group_event_resubscribe
# mailing_group_event_subscribe
# mailing_group_event_unsubscribe
# membership_status_calc
# survey_respondant_count
Commit	Line	Data
6a488035 TO	1	<?php
	2
	3	/*
	4	+--------------------------------------------------------------------+
232624b1	5	\| CiviCRM version 4.4 \|
6a488035 TO	6	+--------------------------------------------------------------------+
	7	\| Copyright CiviCRM LLC (c) 2004-2013 \|
	8	+--------------------------------------------------------------------+
	9	\| This file is a part of CiviCRM. \|
	10	\| \|
	11	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	12	\| under the terms of the GNU Affero General Public License \|
	13	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	14	\| \|
	15	\| CiviCRM is distributed in the hope that it will be useful, but \|
	16	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	17	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	18	\| See the GNU Affero General Public License for more details. \|
	19	\| \|
	20	\| You should have received a copy of the GNU Affero General Public \|
	21	\| License and the CiviCRM Licensing Exception along \|
	22	\| with this program; if not, contact CiviCRM LLC \|
	23	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	24	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	25	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	26	+--------------------------------------------------------------------+
	27	*/
	28
	29	/**
082d771a CW	30	* Decide what permissions to check for an api call
082d771a CW	31	* The contact must have all of the returned permissions for the api call to be allowed
6a488035	32	*
082d771a CW	33	* @param $entity: (str) api entity
	34	* @param $action: (str) api action
	35	* @param $params: (array) api params
6a488035	36	*
082d771a	37	* @return array of permissions to check for this entity-action combo
6a488035	38	*/
6a488035	39	function _civicrm_api3_permissions($entity, $action, &$params) {
47e6af81	40	$entity = _civicrm_api_get_entity_name_from_camel($entity);
6a488035	41	$action = strtolower($action);
79089019 CW	42
	43	/**
	44	* @var array of permissions
	45	*
	46	* For each entity, we declare an array of permissions required for each action
	47	* The action is the array key, possible values:
	48	* * create: applies to create (with no id in params)
	49	* * update: applies to update, setvalue, create (with id in params)
	50	* * get: applies to getcount, getsingle, getvalue and other gets
	51	* * delete: applies to delete, replace
	52	* * meta: applies to getfields, getoptions, getspec
	53	* * default: catch-all for anything not declared
	54	*
	55	* Note: some APIs declare other actions as well
	56	*/
082d771a CW	57	$permissions = array();
082d771a CW	58
79089019 CW	59	// These are the default permissions - if any entity does not declare permissions for a given action,
	60	// (or the entity does not declare permissions at all) - then the action will be used from here
	61	$permissions['default'] = array(
	62	// applies to getfields, getoptions, etc.
	63	'meta' => array('access CiviCRM'),
	64	// catch-all, applies to create, get, delete, etc.
	65	// If an entity declares it's own 'default' action it will override this one
	66	'default' => array('administer CiviCRM'),
	67	);
	68
1593d73d CW	69	// Contact permissions
1593d73d CW	70	$permissions['contact'] = array(
082d771a CW	71	'create' => array(
	72	'access CiviCRM',
	73	'add contacts',
	74	),
	75	'delete' => array(
	76	'access CiviCRM',
	77	'delete contacts',
	78	),
1593d73d CW	79	// managed by query object
1593d73d CW	80	'get' => array(),
082d771a CW	81	'update' => array(
	82	'access CiviCRM',
	83	'edit all contacts',
	84	),
1593d73d	85	'getquick' => array(
245f9828	86	'access CiviCRM',
1593d73d	87	),
082d771a	88	);
1593d73d CW	89
	90	// Contact-related data permissions
	91	$permissions['address'] = array(
	92	'get' => array(
082d771a	93	'access CiviCRM',
1593d73d	94	'view all contacts',
082d771a CW	95	),
	96	'delete' => array(
	97	'access CiviCRM',
	98	'delete contacts',
	99	),
1593d73d	100	'default' => array(
082d771a CW	101	'access CiviCRM',
	102	'edit all contacts',
	103	),
082d771a	104	);
1593d73d CW	105	$permissions['email'] = $permissions['address'];
	106	$permissions['phone'] = $permissions['address'];
	107	$permissions['website'] = $permissions['address'];
	108	$permissions['im'] = $permissions['address'];
	109	$permissions['loc_block'] = $permissions['address'];
	110	$permissions['entity_tag'] = $permissions['address'];
	111	$permissions['note'] = $permissions['address'];
	112
	113	// Activity permissions
	114	$permissions['activity'] = array(
082d771a CW	115	'delete' => array(
082d771a CW	116	'access CiviCRM',
1593d73d	117	'delete activities',
082d771a	118	),
1593d73d	119	'default' => array(
082d771a	120	'access CiviCRM',
1593d73d	121	'view all activities',
082d771a CW	122	),
082d771a CW	123	);
1593d73d CW	124
	125	// Case permissions
	126	$permissions['case'] = array(
082d771a	127	'create' => array(
082d771a	128	'access CiviCRM',
1593d73d	129	'add cases',
082d771a CW	130	),
082d771a CW	131	'delete' => array(
082d771a	132	'access CiviCRM',
1593d73d	133	'delete in CiviCase',
082d771a	134	),
1593d73d	135	'default' => array(
082d771a	136	'access CiviCRM',
1593d73d	137	'access all cases and activities',
082d771a CW	138	),
082d771a CW	139	);
1593d73d CW	140
	141	// Financial permissions
	142	$permissions['contribution'] = array(
	143	'get' => array(
082d771a	144	'access CiviCRM',
1593d73d	145	'access CiviContribute',
082d771a CW	146	),
082d771a CW	147	'delete' => array(
082d771a	148	'access CiviCRM',
1593d73d CW	149	'access CiviContribute',
1593d73d CW	150	'delete in CiviContribute',
082d771a	151	),
0efa8efe	152	'completetransaction' => array(
	153	'edit contributions',
	154	),
1593d73d	155	'default' => array(
082d771a	156	'access CiviCRM',
1593d73d CW	157	'access CiviContribute',
1593d73d CW	158	'edit contributions',
082d771a	159	),
1593d73d CW	160	);
	161	$permissions['line_item'] = $permissions['contribution'];
	162
	163	// Custom field permissions
	164	$permissions['custom_field'] = array(
	165	'default' => array(
082d771a	166	'administer CiviCRM',
082d771a CW	167	'access all custom data',
	168	),
	169	);
1593d73d CW	170	$permissions['custom_group'] = $permissions['custom_field'];
	171
	172	// Event permissions
082d771a CW	173	$permissions['event'] = array(
	174	'create' => array(
	175	'access CiviCRM',
	176	'access CiviEvent',
	177	'edit all events',
	178	),
	179	'delete' => array(
	180	'access CiviCRM',
	181	'access CiviEvent',
	182	'delete in CiviEvent',
	183	),
	184	'get' => array(
	185	'access CiviCRM',
	186	'access CiviEvent',
	187	'view event info',
	188	),
	189	'update' => array(
	190	'access CiviCRM',
	191	'access CiviEvent',
	192	'edit all events',
	193	),
	194	);
1593d73d CW	195
1593d73d CW	196	// File permissions
082d771a	197	$permissions['file'] = array(
1593d73d	198	'default' => array(
082d771a CW	199	'access CiviCRM',
	200	'access uploaded files',
	201	),
	202	);
1593d73d CW	203	$permissions['files_by_entity'] = $permissions['file'];
	204
	205	// Group permissions
082d771a	206	$permissions['group'] = array(
082d771a CW	207	'get' => array(
082d771a CW	208	'access CiviCRM',
082d771a	209	),
1593d73d	210	'default' => array(
082d771a	211	'access CiviCRM',
1593d73d	212	'edit groups',
082d771a CW	213	),
082d771a CW	214	);
1593d73d CW	215	$permissions['group_contact'] = $permissions['group'];
	216	$permissions['group_nesting'] = $permissions['group'];
	217	$permissions['group_organization'] = $permissions['group'];
	218
	219	// Membership permissions
082d771a	220	$permissions['membership'] = array(
1593d73d	221	'get' => array(
082d771a CW	222	'access CiviCRM',
082d771a CW	223	'access CiviMember',
082d771a CW	224	),
	225	'delete' => array(
	226	'access CiviCRM',
	227	'access CiviMember',
	228	'delete in CiviMember',
	229	),
1593d73d	230	'default' => array(
082d771a CW	231	'access CiviCRM',
	232	'access CiviMember',
	233	'edit memberships',
	234	),
	235	);
1593d73d CW	236	$permissions['membership_status'] = $permissions['membership'];
1593d73d CW	237	$permissions['membership_type'] = $permissions['membership'];
082d771a CW	238	$permissions['membership_payment'] = array(
	239	'create' => array(
	240	'access CiviCRM',
	241	'access CiviMember',
	242	'edit memberships',
	243	'access CiviContribute',
	244	'edit contributions',
	245	),
	246	'delete' => array(
	247	'access CiviCRM',
	248	'access CiviMember',
	249	'delete in CiviMember',
	250	'access CiviContribute',
	251	'delete in CiviContribute',
	252	),
	253	'get' => array(
	254	'access CiviCRM',
	255	'access CiviMember',
	256	'access CiviContribute',
	257	),
	258	'update' => array(
	259	'access CiviCRM',
	260	'access CiviMember',
	261	'edit memberships',
	262	'access CiviContribute',
	263	'edit contributions',
	264	),
	265	);
1593d73d CW	266
1593d73d CW	267	// Participant permissions
082d771a CW	268	$permissions['participant'] = array(
	269	'create' => array(
	270	'access CiviCRM',
	271	'access CiviEvent',
	272	'register for events',
	273	),
	274	'delete' => array(
	275	'access CiviCRM',
	276	'access CiviEvent',
	277	'edit event participants',
	278	),
	279	'get' => array(
	280	'access CiviCRM',
	281	'access CiviEvent',
	282	'view event participants',
	283	),
	284	'update' => array(
	285	'access CiviCRM',
	286	'access CiviEvent',
	287	'edit event participants',
	288	),
	289	);
	290	$permissions['participant_payment'] = array(
	291	'create' => array(
	292	'access CiviCRM',
	293	'access CiviEvent',
	294	'register for events',
	295	'access CiviContribute',
	296	'edit contributions',
	297	),
	298	'delete' => array(
	299	'access CiviCRM',
	300	'access CiviEvent',
	301	'edit event participants',
	302	'access CiviContribute',
	303	'delete in CiviContribute',
	304	),
	305	'get' => array(
	306	'access CiviCRM',
	307	'access CiviEvent',
	308	'view event participants',
	309	'access CiviContribute',
	310	),
	311	'update' => array(
	312	'access CiviCRM',
	313	'access CiviEvent',
	314	'edit event participants',
	315	'access CiviContribute',
	316	'edit contributions',
	317	),
	318	);
1593d73d CW	319
1593d73d CW	320	// Pledge permissions
082d771a CW	321	$permissions['pledge'] = array(
	322	'create' => array(
	323	'access CiviCRM',
	324	'access CiviPledge',
	325	'edit pledges',
	326	),
	327	'delete' => array(
	328	'access CiviCRM',
	329	'access CiviPledge',
	330	'delete in CiviPledge',
	331	),
	332	'get' => array(
	333	'access CiviCRM',
	334	'access CiviPledge',
	335	),
	336	'update' => array(
	337	'access CiviCRM',
	338	'access CiviPledge',
	339	'edit pledges',
	340	),
	341	);
	342	$permissions['pledge_payment'] = array(
	343	'create' => array(
	344	'access CiviCRM',
	345	'access CiviPledge',
	346	'edit pledges',
	347	'access CiviContribute',
	348	'edit contributions',
	349	),
	350	'delete' => array(
	351	'access CiviCRM',
	352	'access CiviPledge',
	353	'delete in CiviPledge',
	354	'access CiviContribute',
	355	'delete in CiviContribute',
	356	),
	357	'get' => array(
	358	'access CiviCRM',
	359	'access CiviPledge',
	360	'access CiviContribute',
	361	),
	362	'update' => array(
	363	'access CiviCRM',
	364	'access CiviPledge',
	365	'edit pledges',
	366	'access CiviContribute',
	367	'edit contributions',
	368	),
	369	);
1593d73d CW	370
1593d73d CW	371	// Profile permissions
c85e32fc	372	$permissions['profile'] = array(
	373	'get' => array(), // the profile will take care of this
	374	);
	375
1593d73d	376	$permissions['uf_group'] = array(
082d771a CW	377	'get' => array(
082d771a CW	378	'access CiviCRM',
6a488035 TO	379	),
6a488035 TO	380	);
1593d73d	381	$permissions['uf_field'] = $permissions['uf_group'];
6a488035	382
79089019 CW	383	// Translate 'create' action to 'update' if id is set
	384	if ($action == 'create' && (!empty($params['id']) \|\| !empty($params[$entity . '_id']))) {
	385	$action = 'update';
	386	}
	387
6a488035 TO	388	// let third parties modify the permissions
	389	CRM_Utils_Hook::alterAPIPermissions($entity, $action, $params, $permissions);
	390
79089019 CW	391	// Merge permissions for this entity with the defaults
	392	$perm = CRM_Utils_Array::value($entity, $permissions, array()) + $permissions['default'];
	393
	394	// Return exact match if permission for this action has been declared
	395	if (isset($perm[$action])) {
	396	return $perm[$action];
	397	}
	398
	399	// Translate specific actions into their generic equivalents
	400	$snippet = substr($action, 0, 3);
	401	if ($action == 'replace' \|\| $snippet == 'del') {
d013d45c TO	402	// 'Replace' is a combination of get+create+update+delete; however, the permissions
	403	// on each of those will be tested separately at runtime. This is just a sniff-test
	404	// based on the heuristic that 'delete' tends to be the most closesly guarded
	405	// of the necessary permissions.
79089019 CW	406	$action = 'delete';
	407	}
	408	elseif ($action == 'setvalue' \|\| $snippet == 'upd') {
	409	$action = 'update';
	410	}
	411	elseif ($action == 'getfields' \|\| $action == 'getspec' \|\| $action == 'getoptions') {
	412	$action = 'meta';
	413	}
	414	elseif ($snippet == 'get') {
	415	$action = 'get';
	416	}
	417	return isset($perm[$action]) ? $perm[$action] : $perm['default'];
6a488035 TO	418	}
	419
	420	# FIXME: not sure how to permission the following API 3 calls:
	421	# contribution_transact (make online contributions)
	422	# entity_tag_display
	423	# group_contact_pending
	424	# group_contact_update_status
	425	# mailing_event_bounce
	426	# mailing_event_click
	427	# mailing_event_confirm
	428	# mailing_event_forward
	429	# mailing_event_open
	430	# mailing_event_reply
	431	# mailing_group_event_domain_unsubscribe
	432	# mailing_group_event_resubscribe
	433	# mailing_group_event_subscribe
	434	# mailing_group_event_unsubscribe
	435	# membership_status_calc
	436	# survey_respondant_count